Private mongodb credentials in production environment #9

ghost opened this Issue Dec 26, 2012 · 1 comment

1 participant


Sorry if this is a very beginner question but...

Is there a way of using this in a production environment, and be able to keep your database credentials private?

I ask because this puts all the database work on the client side, right?


@timothybone I assume that by "database credentials" you mean the apiKey from the MongoLab, right? If so, the current MongoLab adapter just relays on what is available in MongoLab and the current authentication mechanism for the RESTFul API is only based on the API key and gives full read / write access to the entire database:


Please note that this apiKey will give full access to all data within the databases belonging to your MongoLab account. If you do not have it secured on an app server, someone can gain access to it and your data.

If you want to use the MongoLab in production for non-public data you will need a server cooperating and providing security mechanism. Please note that the current adapter has an option of specifying a base URL so you can simply "hide" RESTful URLs behind a thin proxy as we did in the angular-app:

So, while MongoLab REST api is great for demos and publicity available data it is not enough for private, sensitive data and you need provide authentication on the server.

One more observation: exposing apiKey mind sound scary but please note that any RESTful API that gives ability to query, modify and delete data exposes whole data set to the external world. So the whole problem is more linked to exposing and securing RESTful APIs and not limited to the MongoLab or this adapter.

Closing this issue, we can discuss more on the mailing list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment